github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 20:34:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(auth-profiles): unify coercion and add rejected-entry diagnostics

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 14:42:00 +01:00
parent 96aad965ab
commit 8315c58675
2 changed files with 217 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
src/agents/auth-profiles.ensureauthprofilestore.test.ts
View File

@@ -1,9 +1,9 @@
import fs from "node:fs"; import fs from "node:fs";
import os from "node:os"; import os from "node:os";
import path from "node:path"; import path from "node:path";
import { describe, expect, it } from "vitest"; import { describe, expect, it, vi } from "vitest";
import { ensureAuthProfileStore } from "./auth-profiles.js"; import { ensureAuthProfileStore } from "./auth-profiles.js";
import { AUTH_STORE_VERSION } from "./auth-profiles/constants.js"; import { AUTH_STORE_VERSION, log } from "./auth-profiles/constants.js";
describe("ensureAuthProfileStore", () => { describe("ensureAuthProfileStore", () => {
it("migrates legacy auth.json and deletes it (PR #368)", () => { it("migrates legacy auth.json and deletes it (PR #368)", () => {
@@ -123,35 +123,155 @@ describe("ensureAuthProfileStore", () => {
} }
}); });
it("accepts mode/apiKey aliases so users who follow openclaw.json format are not silently broken", () => { it("normalizes auth-profiles credential aliases with canonical-field precedence", () => {
// A common mistake: users write auth-profiles.json using the same field names const cases = [
// as openclaw.json auth.profiles ("mode" + "apiKey") instead of the canonical {
// auth-profiles.json fields ("type" + "key"). The parser now normalises both. name: "mode/apiKey aliases map to type/key",
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-alias-")); profile: {
try { provider: "anthropic",
const storeWithAliases = { mode: "api_key",
version: AUTH_STORE_VERSION, apiKey: "sk-ant-alias",
profiles: {
"anthropic:work": {
provider: "anthropic",
mode: "api_key", // alias for "type"
apiKey: "sk-ant-alias-test", // alias for "key"
},
}, },
}; expected: {
type: "api_key",
key: "sk-ant-alias",
},
},
{
name: "canonical type overrides conflicting mode alias",
profile: {
provider: "anthropic",
type: "api_key",
mode: "token",
key: "sk-ant-canonical",
},
expected: {
type: "api_key",
key: "sk-ant-canonical",
},
},
{
name: "canonical key overrides conflicting apiKey alias",
profile: {
provider: "anthropic",
type: "api_key",
key: "sk-ant-canonical",
apiKey: "sk-ant-alias",
},
expected: {
type: "api_key",
key: "sk-ant-canonical",
},
},
{
name: "canonical profile shape remains unchanged",
profile: {
provider: "anthropic",
type: "api_key",
key: "sk-ant-direct",
},
expected: {
type: "api_key",
key: "sk-ant-direct",
},
},
] as const;
for (const testCase of cases) {
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-alias-"));
try {
const storeData = {
version: AUTH_STORE_VERSION,
profiles: {
"anthropic:work": testCase.profile,
},
};
fs.writeFileSync(
path.join(agentDir, "auth-profiles.json"),
`${JSON.stringify(storeData, null, 2)}\n`,
"utf8",
);
const store = ensureAuthProfileStore(agentDir);
expect(store.profiles["anthropic:work"], testCase.name).toMatchObject(testCase.expected);
} finally {
fs.rmSync(agentDir, { recursive: true, force: true });
}
}
});
it("normalizes mode/apiKey aliases while migrating legacy auth.json", () => {
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-legacy-alias-"));
try {
fs.writeFileSync( fs.writeFileSync(
path.join(agentDir, "auth-profiles.json"), path.join(agentDir, "auth.json"),
`${JSON.stringify(storeWithAliases, null, 2)}\n`, `${JSON.stringify(
{
anthropic: {
provider: "anthropic",
mode: "api_key",
apiKey: "sk-ant-legacy",
},
},
null,
2,
)}\n`,
"utf8", "utf8",
); );
const store = ensureAuthProfileStore(agentDir); const store = ensureAuthProfileStore(agentDir);
const profile = store.profiles["anthropic:work"]; expect(store.profiles["anthropic:default"]).toMatchObject({
expect(profile).toBeDefined(); type: "api_key",
expect(profile?.type).toBe("api_key"); provider: "anthropic",
expect((profile as { key?: string }).key).toBe("sk-ant-alias-test"); key: "sk-ant-legacy",
});
} finally { } finally {
fs.rmSync(agentDir, { recursive: true, force: true }); fs.rmSync(agentDir, { recursive: true, force: true });
} }
}); });
it("logs one warning with aggregated reasons for rejected auth-profiles entries", () => {
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-invalid-"));
const warnSpy = vi.spyOn(log, "warn").mockImplementation(() => undefined);
try {
const invalidStore = {
version: AUTH_STORE_VERSION,
profiles: {
"anthropic:missing-type": {
provider: "anthropic",
},
"openai:missing-provider": {
type: "api_key",
key: "sk-openai",
},
"qwen:not-object": "broken",
},
};
fs.writeFileSync(
path.join(agentDir, "auth-profiles.json"),
`${JSON.stringify(invalidStore, null, 2)}\n`,
"utf8",
);
const store = ensureAuthProfileStore(agentDir);
expect(store.profiles).toEqual({});
expect(warnSpy).toHaveBeenCalledTimes(1);
expect(warnSpy).toHaveBeenCalledWith(
"ignored invalid auth profile entries during store load",
{
source: "auth-profiles.json",
dropped: 3,
reasons: {
invalid_type: 1,
missing_provider: 1,
non_object: 1,
},
keys: ["anthropic:missing-type", "openai:missing-provider", "qwen:not-object"],
},
);
} finally {
warnSpy.mockRestore();
fs.rmSync(agentDir, { recursive: true, force: true });
}
});
}); });

114
src/agents/auth-profiles/store.ts
View File

@@ -9,14 +9,10 @@ import { ensureAuthStoreFile, resolveAuthStorePath, resolveLegacyAuthStorePath }
import type { AuthProfileCredential, AuthProfileStore, ProfileUsageStats } from "./types.js"; import type { AuthProfileCredential, AuthProfileStore, ProfileUsageStats } from "./types.js";
type LegacyAuthStore = Record<string, AuthProfileCredential>; type LegacyAuthStore = Record<string, AuthProfileCredential>;
type CredentialRejectReason = "non_object" | "invalid_type" | "missing_provider";
type RejectedCredentialEntry = { key: string; reason: CredentialRejectReason };
function _syncAuthProfileStore(target: AuthProfileStore, source: AuthProfileStore): void { const AUTH_PROFILE_TYPES = new Set<AuthProfileCredential["type"]>(["api_key", "oauth", "token"]);
target.version = source.version;
target.profiles = source.profiles;
target.order = source.order;
target.lastGood = source.lastGood;
target.usageStats = source.usageStats;
}
export async function updateAuthProfileStoreWithLock(params: { export async function updateAuthProfileStoreWithLock(params: {
agentDir?: string; agentDir?: string;
@@ -61,6 +57,49 @@ function normalizeRawCredentialEntry(raw: Record<string, unknown>): Partial<Auth
return entry as Partial<AuthProfileCredential>; return entry as Partial<AuthProfileCredential>;
} }
function parseCredentialEntry(
raw: unknown,
fallbackProvider?: string,
): { ok: true; credential: AuthProfileCredential } | { ok: false; reason: CredentialRejectReason } {
if (!raw || typeof raw !== "object") {
return { ok: false, reason: "non_object" };
}
const typed = normalizeRawCredentialEntry(raw as Record<string, unknown>);
if (!AUTH_PROFILE_TYPES.has(typed.type as AuthProfileCredential["type"])) {
return { ok: false, reason: "invalid_type" };
}
const provider = typed.provider ?? fallbackProvider;
if (typeof provider !== "string" || provider.trim().length === 0) {
return { ok: false, reason: "missing_provider" };
}
return {
ok: true,
credential: {
...typed,
provider,
} as AuthProfileCredential,
};
}
function warnRejectedCredentialEntries(source: string, rejected: RejectedCredentialEntry[]): void {
if (rejected.length === 0) {
return;
}
const reasons = rejected.reduce(
(acc, current) => {
acc[current.reason] = (acc[current.reason] ?? 0) + 1;
return acc;
},
{} as Partial<Record<CredentialRejectReason, number>>,
);
log.warn("ignored invalid auth profile entries during store load", {
source,
dropped: rejected.length,
reasons,
keys: rejected.slice(0, 10).map((entry) => entry.key),
});
}
function coerceLegacyStore(raw: unknown): LegacyAuthStore | null { function coerceLegacyStore(raw: unknown): LegacyAuthStore | null {
if (!raw || typeof raw !== "object") { if (!raw || typeof raw !== "object") {
return null; return null;
@@ -70,19 +109,16 @@ function coerceLegacyStore(raw: unknown): LegacyAuthStore | null {
return null; return null;
} }
const entries: LegacyAuthStore = {}; const entries: LegacyAuthStore = {};
const rejected: RejectedCredentialEntry[] = [];
for (const [key, value] of Object.entries(record)) { for (const [key, value] of Object.entries(record)) {
if (!value || typeof value !== "object") { const parsed = parseCredentialEntry(value, key);
if (!parsed.ok) {
rejected.push({ key, reason: parsed.reason });
continue; continue;
} }
const typed = normalizeRawCredentialEntry(value as Record<string, unknown>); entries[key] = parsed.credential;
if (typed.type !== "api_key" && typed.type !== "oauth" && typed.type !== "token") {
continue;
}
entries[key] = {
...typed,
provider: String(typed.provider ?? key),
} as AuthProfileCredential;
} }
warnRejectedCredentialEntries("auth.json", rejected);
return Object.keys(entries).length > 0 ? entries : null; return Object.keys(entries).length > 0 ? entries : null;
} }
@@ -96,19 +132,16 @@ function coerceAuthStore(raw: unknown): AuthProfileStore | null {
} }
const profiles = record.profiles as Record<string, unknown>; const profiles = record.profiles as Record<string, unknown>;
const normalized: Record<string, AuthProfileCredential> = {}; const normalized: Record<string, AuthProfileCredential> = {};
const rejected: RejectedCredentialEntry[] = [];
for (const [key, value] of Object.entries(profiles)) { for (const [key, value] of Object.entries(profiles)) {
if (!value || typeof value !== "object") { const parsed = parseCredentialEntry(value);
if (!parsed.ok) {
rejected.push({ key, reason: parsed.reason });
continue; continue;
} }
const typed = normalizeRawCredentialEntry(value as Record<string, unknown>); normalized[key] = parsed.credential;
if (typed.type !== "api_key" && typed.type !== "oauth" && typed.type !== "token") {
continue;
}
if (!typed.provider) {
continue;
}
normalized[key] = typed as AuthProfileCredential;
} }
warnRejectedCredentialEntries("auth-profiles.json", rejected);
const order = const order =
record.order && typeof record.order === "object" record.order && typeof record.order === "object"
? Object.entries(record.order as Record<string, unknown>).reduce( ? Object.entries(record.order as Record<string, unknown>).reduce(
@@ -242,19 +275,26 @@ function applyLegacyStore(store: AuthProfileStore, legacy: LegacyAuthStore): voi
} }
} }
function loadCoercedStoreWithExternalSync(authPath: string): AuthProfileStore | null {
const raw = loadJsonFile(authPath);
const store = coerceAuthStore(raw);
if (!store) {
return null;
}
// Sync from external CLI tools on every load.
const synced = syncExternalCliCredentials(store);
if (synced) {
saveJsonFile(authPath, store);
}
return store;
}
export function loadAuthProfileStore(): AuthProfileStore { export function loadAuthProfileStore(): AuthProfileStore {
const authPath = resolveAuthStorePath(); const authPath = resolveAuthStorePath();
const raw = loadJsonFile(authPath); const asStore = loadCoercedStoreWithExternalSync(authPath);
const asStore = coerceAuthStore(raw);
if (asStore) { if (asStore) {
// Sync from external CLI tools on every load
const synced = syncExternalCliCredentials(asStore);
if (synced) {
saveJsonFile(authPath, asStore);
}
return asStore; return asStore;
} }
const legacyRaw = loadJsonFile(resolveLegacyAuthStorePath()); const legacyRaw = loadJsonFile(resolveLegacyAuthStorePath());
const legacy = coerceLegacyStore(legacyRaw); const legacy = coerceLegacyStore(legacyRaw);
if (legacy) { if (legacy) {
@@ -277,14 +317,8 @@ function loadAuthProfileStoreForAgent(
_options?: { allowKeychainPrompt?: boolean }, _options?: { allowKeychainPrompt?: boolean },
): AuthProfileStore { ): AuthProfileStore {
const authPath = resolveAuthStorePath(agentDir); const authPath = resolveAuthStorePath(agentDir);
const raw = loadJsonFile(authPath); const asStore = loadCoercedStoreWithExternalSync(authPath);
const asStore = coerceAuthStore(raw);
if (asStore) { if (asStore) {
// Sync from external CLI tools on every load
const synced = syncExternalCliCredentials(asStore);
if (synced) {
saveJsonFile(authPath, asStore);
}
return asStore; return asStore;
} }